Unrated severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026
LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()
CVE-2026-30954
Description
LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/Kovah/LinkAce/security/advisories/GHSA-vc99-cgj6-wwxhmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.